[kernel] r8377 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Tue Mar 20 08:07:57 UTC 2007 

Author: dannf
Date: Tue Mar 20 07:07:56 2007
New Revision: 8377

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/aio-fix-nr_pages-init.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
Log:
* aio-fix-nr_pages-init.dpatch
  [SECURITY] Fix initialization of info->nr_pages in aio_setup_ring() to
  avoid a race that can lead to a system crash
  See CVE-2006-5754

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Tue Mar 20 07:07:56 2007
@@ -28,8 +28,12 @@
     [SECURITY] Fix userspace corruption vulnerability caused by
     incorrectly promoted return values in bad_inode_ops
     See CVE-2006-5753
+  * aio-fix-nr_pages-init.dpatch
+    [SECURITY] Fix initialization of info->nr_pages in aio_setup_ring() to
+    avoid a race that can lead to a system crash
+    See CVE-2006-5754
 
- -- dann frazier <dannf at debian.org>  Tue, 20 Mar 2007 00:47:10 -0600
+ -- dann frazier <dannf at debian.org>  Tue, 20 Mar 2007 01:05:01 -0600
 
 kernel-source-2.6.8 (2.6.8-16sarge6) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/aio-fix-nr_pages-init.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/aio-fix-nr_pages-init.dpatch	Tue Mar 20 07:07:56 2007
@@ -0,0 +1,34 @@
+
+#### ChangeSet ####
+2004-11-07 10:22:27-08:00, torvalds at ppc970.osdl.org 
+  aio: remove incorrect initialization of "nr_pages"
+  
+  We should not claim to have filled in the ring_pages[] array
+  until we actually _do_ fill it in. It will confuse the code
+  that frees the structure if we claim there are pages there
+  that don't exist.
+  
+  Noted by Darrick Wong.
+
+==== fs/aio.c ====
+2004-11-07 10:22:21-08:00, torvalds at ppc970.osdl.org +0 -2
+  aio: remove incorrect initialization of "nr_pages"
+  
+  We should not claim to have filled in the ring_pages[] array
+  until we actually _do_ fill it in. It will confuse the code
+  that frees the structure if we claim there are pages there
+  that don't exist.
+  
+  Noted by Darrick Wong.
+
+--- 1.60/fs/aio.c	2004-10-20 01:12:10 -07:00
++++ 1.61/fs/aio.c	2004-11-07 10:22:21 -08:00
+@@ -118,8 +118,6 @@ static int aio_setup_ring(struct kioctx 
+ 	if (nr_pages < 0)
+ 		return -EINVAL;
+ 
+-	info->nr_pages = nr_pages;
+-
+ 	nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
+ 
+ 	info->nr = 0;

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7	Tue Mar 20 07:07:56 2007
@@ -5,3 +5,4 @@
 + smbfs-honor-mount-opts-2.dpatch
 + bluetooth-capi-size-checks.dpatch
 + listxattr-mem-corruption.dpatch
++ aio-fix-nr_pages-init.dpatch

More information about the Kernel-svn-changes mailing list